Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Role-Based Access Controls



David F. Ferraiolo, David R. Kuhn


While Mandatory Access Controls (MAC) are appropriate for multilevel secure military applications, Discretionary Access Controls (DAC) are often perceived as meeting the security processing needs of industry and civilian government. This paper argues that reliance on DAC as the principal method of access control is unfounded and inappropriate for many commercial and civilian government organizations. The paper describes a type of non-discretionary access control: role-based access control (RBAC) that is more central to the secure processing needs of non-military systems than DAC.
Proceedings Title
15th National Computer Security Conference
Conference Dates
October 13-16, 1992
Conference Location
Baltimore, MD


access control, computer security, discretionary access control, integrity, mandatory access control, role, RBAC, role based access control, TCSEC


Ferraiolo, D. and Kuhn, D. (1992), Role-Based Access Controls, 15th National Computer Security Conference, Baltimore, MD, [online], (Accessed May 30, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created October 13, 1992, Updated February 19, 2017